EP2874367A1 - Call authentication method, device, and system - Google Patents

Call authentication method, device, and system Download PDF

Info

Publication number
EP2874367A1
EP2874367A1 EP20130803875 EP13803875A EP2874367A1 EP 2874367 A1 EP2874367 A1 EP 2874367A1 EP 20130803875 EP20130803875 EP 20130803875 EP 13803875 A EP13803875 A EP 13803875A EP 2874367 A1 EP2874367 A1 EP 2874367A1
Authority
EP
European Patent Office
Prior art keywords
authentication data
user terminal
mme
emergency call
hss
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP20130803875
Other languages
German (de)
French (fr)
Other versions
EP2874367A4 (en
EP2874367B1 (en
Inventor
Shiyun XIE
Lanjian CAO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of EP2874367A1 publication Critical patent/EP2874367A1/en
Publication of EP2874367A4 publication Critical patent/EP2874367A4/en
Application granted granted Critical
Publication of EP2874367B1 publication Critical patent/EP2874367B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/90Services for handling of emergency or hazardous situations, e.g. earthquake and tsunami warning systems [ETWS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/50Connection management for emergency connections

Definitions

  • the present invention relates to the field of wireless communication, and particularly, to a call authentication method, device and system.
  • An emergency call is a peculiar voice service in the mobile communication system, in which a mobile subscriber is allowed to call emergency call centers such as 120 center and 119 fire alarm and so on provided by operators through a mobile communication network covering its location in a case that a mobile terminal is in limited calling or a Subscriber Identity Module (SIM) card is not inserted, wherein, the case that the mobile terminal is in limited calling or the SIM card is not inserted is called an emergency attachment case.
  • SIM Subscriber Identity Module
  • the mobile terminal initiates an emergency call to the network side in the case of emergency attachment, and the network side can generally neglect an International Mobile Subscriber Identity (IMSI) of the mobile terminal and allows the mobile terminal to access a core network.
  • IMSI International Mobile Subscriber Identity
  • the mobile terminal is required to send its International Mobile Equipment Identity (IMEI) of the mobile terminal to the network side; and when receiving the IMEI of the mobile terminal, the network side takes the IMEI as identity information for the mobile terminal emergently accessing the core network.
  • IMEI International Mobile Equipment Identity
  • FIG. 1 is a flow chart of a subscriber initiating an emergency call through the mobile communication network by using the mobile terminal, and the following steps are included.
  • a Radio Resource Control (RRC) connection is established between a mobile terminal (i.e., a User Equipment (UE)) and a base station at the location where the UE is located (i.e., an Evolved Node B (eNodeB)).
  • RRC Radio Resource Control
  • step 2 the UE sends a request message to the eNodeB, the request message contains a call type and an access network identity, wherein, the call type is an emergency call type.
  • the access network identity can be a Globally Unique Temporary Identity (GUTI) or a Packet Temporary Mobile Subscriber Identity (P-TMSI) saved by the UE, or an IMSI of the UE, or an IMEI of the UE.
  • GUI Globally Unique Temporary Identity
  • P-TMSI Packet Temporary Mobile Subscriber Identity
  • step 3 the eNodeB selects a Mobile Management Entity (MME) for the UE, and forwards the received request message to the MME.
  • MME Mobile Management Entity
  • step 4 the MME judges whether the MME itself has an ability of responding to the emergency call, when determining that it has the ability of responding to the emergency call, judges the access network identity of the UE carried in the received request message, executes step 5; and when determining that it does not have the ability of responding to the emergency call, returns a rejection response message.
  • step 5 when determining that the access network identity carried in the request message is the GUTI or P-TMSI, the MME requests the UE to report the IMSI, and when receiving the IMSI reported by the UE, responds to the request message, and allows accessing the network.
  • step 6 when determining that the access network identity carried in the request message is the IMEI, the MME sends the received IMEI to an Equipment Identity Register (EIR) to be authenticated, and when the authentication is passed, responds to the request message, and allows accessing the network.
  • EIR Equipment Identity Register
  • the MME when the MME responds to the emergency call request of the terminal, after determining that the access network identity reported by the UE is the IMEI, the MME only determines whether the IMEI is blacklisted, and when determining that the IMEI is not blacklisted, allows the UE to access the core network.
  • the embodiments of the present invention provide a call authentication method, device and system, which solve a problem that, when a user terminal sends an emergency call request to a network side in a case of emergency attachment, since the network side does not perform security authentication on the user terminal that initiates the call, worse security of the emergency call is caused in the related art.
  • the embodiment of the present invention provides a call authentication method, which comprises:
  • the method further comprises: after allowing the user terminal to access the communication network, the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result.
  • the method further comprises: after the MME receives the emergency call request message and before the MME sends the query request to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS.
  • the step of the MME receiving the second authentication data sent by the user terminal comprises:
  • the step of the MME comparing the first authentication data and the second authentication data comprises:
  • the embodiment of the present invention further provides a call authentication method, which comprises:
  • the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal
  • IMEI International Mobile Equipment Identity
  • the locally stored corresponding relation between the access network identity and the device key comprises:
  • the embodiment of the present invention further provides a call authentication device, which comprises:
  • the device further comprises:
  • the emergency call request message carries the access network identity of the user terminal; the device further comprises: a call-times determination module and a call judgment module, wherein:
  • the comparison module is configured to compare the first authentication data and the second authentication data in the following way:
  • the embodiment of the present invention further provides a Home Subscriber Server (HSS), which comprises:
  • the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal; the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
  • IMEI International Mobile Equipment Identity
  • the embodiment of the present invention further provides a call authentication system, which comprises: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein, the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result; the user terminal is
  • the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
  • the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
  • the embodiments of the present invention disclose a call authentication method, device and system, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key, and the first authentication data obtained by performing calculation with the security key and the random verification information from the HSS, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
  • a symmetrical device key is set in the network side and the user terminal, which is used for the network side performing authentication on the user terminal.
  • the device key is associated with the IMEI of the user terminal, the network side stores a corresponding relation between the IMEI of the user terminal and the device key, and the device key in the HSS, the network side can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key;
  • a legal user terminal stores its own device key in a security component, and it also can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key, wherein, it is a one-to-one correspondence relation between the device key and the IMEI, and each device key corresponds to only one IMEI.
  • the security key involved in all the embodiments of the present invention is obtained by performing calculation with the stored device key, parameter information and access network identity information of the user terminal according to a set calculation method, both the network side and the user terminal have a function of encryption and decryption, which guarantees the security in a signaling transmission process and makes the utilized air interface resources be protected.
  • FIG. 2 it is a flow chart of a call authentication method according to the embodiment 1 of the present invention, and the method includes the following steps.
  • an MME receives an emergency call request message carrying an access network identity sent by a user terminal, and carries the access network identity into a query request to send to an HSS.
  • the access network identity is an IMEI of the user terminal.
  • the user terminal when the user terminal is in limited calling or an SIM card/a Universal Subscriber Identity Module (USIM) card is not inserted, and an emergency call request is required to be initiated, the user terminal takes its own IMEI as the access network identity and carries the access network identity into the emergency call request message to send to the MME.
  • IMEI the access network identity
  • the MME when receiving the emergency call request message sent by the user, the MME indicates the user terminal to report the access network identity, so as to identify the user terminal.
  • the user terminal When the access network identity reported by the user terminal and received by the MME is a GUIT or a P_TMSI, the user terminal is indicated to report an IMSI of the user terminal; and when the access network identity reported by the user terminal and received by the MME is the IMSI, the user terminal is indicated to report the IMEI of the user terminal.
  • the method also includes:
  • step 102 the MME receives a query result carrying verification information and first authentication data returned by the HSS.
  • the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, wherein, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between the access network identity and the device key.
  • the MME contains the access network identity carried in the received emergency call request message into the query request to send to the HSS.
  • step 1 according to the locally stored corresponding relation between the access network identity and the device key, a device key corresponding to the access network identity contained in the query request is determined.
  • step 2 a security key containing the device key and the randomly generated verification information are used for calculating to obtain the first authentication data.
  • the way of calculation can be to use a set algorithm, and it also can be to calculate according to a protocol rule in the 3rd Generation Partnership Project (3GPP) protocol, which is not limited here.
  • 3GPP 3rd Generation Partnership Project
  • step 3 the randomly generated verification information and the obtained first authentication data are taken as a query result to be sent to the MME.
  • the verification information can be verification information in a 3GPP format, such as RAND; the first authentication data are device-challenge; the query result is RAND
  • step 103 the MME receives second authentication data sent by the user terminal.
  • the second authentication data are obtained by the user terminal performing calculation with the locally stored security key and the verification information after receiving the verification information sent by the MME.
  • the MME receives the query result returned by the HSS, the query result contains random verification information, and the MME sends the random verification information to the user terminal.
  • step 1 a device key corresponding to the IMEI of the user terminal itself is determined.
  • step 2 it is to perform calculation on the received verification information with the security key containing the determined device key to obtain the second authentication data.
  • step 3 the obtained second authentication data are sent to the MME.
  • step 104 the MME compares the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determines that an authentication is passed, and allows the user terminal to access a communication network.
  • the MME judges whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executes an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executes an operation of determining that the authentication is not passed and rejecting accessing the network.
  • step 105 after allowing the user terminal to access the communication network, the MME receives an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key.
  • step 106 the MME sends the received emergency call message to the HSS to be parsed, and returns a response message to the user terminal according to a parse result.
  • the MME Since the HSS stores the device key, and the security key is determined by the device key, the MME is required to perform decryption operation on the received encrypted emergency call message through the HSS when receiving the encrypted emergency call message.
  • the MME by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key from the HSS, and acquires the first authentication data obtained by performing calculation with the security key and the random verification information, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
  • FIG. 3 it is a schematic diagram of a structure of a call authentication device according to the embodiment 2, the device includes: a first receiving module 11, a second receiving module 12, a third receiving module 13 and a comparison module 14, wherein:
  • the device also includes: a fourth receiving module 15 and a message processing module 16, wherein:
  • the emergency call request message carries the access network identity of the user terminal.
  • the device also includes: a call-times determination module 17 and a call judgment module 18, wherein:
  • the comparison module 14 is configured to compare the first authentication data and the second authentication data in the following way: judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
  • the HSS includes: a receiving module 21, a first authentication data calculation module 22 and a sending module 23, wherein:
  • the access network identity is an IMEI of the user terminal; the first authentication data calculation module 22 is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
  • FIG. 5 it is a structure diagram of a call authentication system according to the embodiment 4, the system includes: an MME 31, a user terminal 32 and an HSS 33, wherein:
  • the user terminal 32 is further configured to: when the user terminal 32 receives the verification information sent by the MME 31, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
  • the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • Emergency Management (AREA)
  • Environmental & Geological Engineering (AREA)
  • Public Health (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A call authentication method, device and system are disclosed. The method includes: an MME receiving an emergency call request message carrying an access network identity sent by a user terminal, and carrying the access network identity into a query request to send to an HSS; the MME receiving a query result carrying verification information and first authentication data returned by the HSS; the MME receiving second authentication data sent by the user terminal; and the MME comparing the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network. In the embodiments of the present invention, an illegal user terminal is prevented from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.

Description

    Technical Field
  • The present invention relates to the field of wireless communication, and particularly, to a call authentication method, device and system.
    • Background of the Related Art
  • An emergency call is a peculiar voice service in the mobile communication system, in which a mobile subscriber is allowed to call emergency call centers such as 120 center and 119 fire alarm and so on provided by operators through a mobile communication network covering its location in a case that a mobile terminal is in limited calling or a Subscriber Identity Module (SIM) card is not inserted, wherein, the case that the mobile terminal is in limited calling or the SIM card is not inserted is called an emergency attachment case.
  • In the related art, the mobile terminal initiates an emergency call to the network side in the case of emergency attachment, and the network side can generally neglect an International Mobile Subscriber Identity (IMSI) of the mobile terminal and allows the mobile terminal to access a core network. At this point, the mobile terminal is required to send its International Mobile Equipment Identity (IMEI) of the mobile terminal to the network side; and when receiving the IMEI of the mobile terminal, the network side takes the IMEI as identity information for the mobile terminal emergently accessing the core network. As shown in FIG. 1, FIG. 1 is a flow chart of a subscriber initiating an emergency call through the mobile communication network by using the mobile terminal, and the following steps are included.
  • In step 1, a Radio Resource Control (RRC) connection is established between a mobile terminal (i.e., a User Equipment (UE)) and a base station at the location where the UE is located (i.e., an Evolved Node B (eNodeB)).
  • In step 2, the UE sends a request message to the eNodeB, the request message contains a call type and an access network identity, wherein, the call type is an emergency call type.
  • The access network identity can be a Globally Unique Temporary Identity (GUTI) or a Packet Temporary Mobile Subscriber Identity (P-TMSI) saved by the UE, or an IMSI of the UE, or an IMEI of the UE.
  • In step 3, the eNodeB selects a Mobile Management Entity (MME) for the UE, and forwards the received request message to the MME.
  • In step 4, the MME judges whether the MME itself has an ability of responding to the emergency call, when determining that it has the ability of responding to the emergency call, judges the access network identity of the UE carried in the received request message, executes step 5; and when determining that it does not have the ability of responding to the emergency call, returns a rejection response message.
  • In step 5, when determining that the access network identity carried in the request message is the GUTI or P-TMSI, the MME requests the UE to report the IMSI, and when receiving the IMSI reported by the UE, responds to the request message, and allows accessing the network.
  • In step 6, when determining that the access network identity carried in the request message is the IMEI, the MME sends the received IMEI to an Equipment Identity Register (EIR) to be authenticated, and when the authentication is passed, responds to the request message, and allows accessing the network.
  • In the communication system, when the MME responds to the emergency call request of the terminal, after determining that the access network identity reported by the UE is the IMEI, the MME only determines whether the IMEI is blacklisted, and when determining that the IMEI is not blacklisted, allows the UE to access the core network.
  • Therefore, it will not only cause that a lawbreaker accesses the core network in such a way of emergency call and attacks the core network maliciously to increase insecurity factors of the communication network, but also cause that air interface resources occupied in the communication are not in safety protection since no secure communication link is established between the UE and the network side in the emergency call, which makes certain information in the emergency call be stolen or tampered, and makes the security of the emergency call worse.
    • Summary of the Invention
  • The embodiments of the present invention provide a call authentication method, device and system, which solve a problem that, when a user terminal sends an emergency call request to a network side in a case of emergency attachment, since the network side does not perform security authentication on the user terminal that initiates the call, worse security of the emergency call is caused in the related art.
  • The embodiment of the present invention provides a call authentication method, which comprises:
    • a Mobile Management Entity (MME) receiving an emergency call request message carrying an access network identity sent by a user terminal, and carrying the access network identity into a query request to send to a Home Subscriber Server (HSS);
    • the MME receiving a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
    • the MME receiving second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation with a locally stored security key and verification information after receiving the verification information sent by the MME; and
    • the MME comparing the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
  • Alternatively, the method further comprises: after allowing the user terminal to access the communication network,
    the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
    the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result.
  • Alternatively, the method further comprises: after the MME receives the emergency call request message and before the MME sends the query request to the HSS,
    according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and
    the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS.
  • Alternatively, the step of the MME receiving the second authentication data sent by the user terminal comprises:
    • the MME receiving the second authentication data obtained by the user terminal performing calculation on the received verification information with the locally stored security key when the user terminal receives the verification information sent by the MME.
  • Alternatively, the step of the MME comparing the first authentication data and the second authentication data comprises:
    • the MME judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
  • The embodiment of the present invention further provides a call authentication method, which comprises:
    • a Home Subscriber Server (HSS) receiving a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
    • according to a locally stored corresponding relation between an access network identity and a device key, the HSS determining a device key corresponding to the access network identity contained in the query request, and performing calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
    • the HSS taking the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
  • Alternatively, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
    the locally stored corresponding relation between the access network identity and the device key comprises:
    • a corresponding relation between the IMEI of the user terminal and the device key locally stored by the HSS
  • The embodiment of the present invention further provides a call authentication device, which comprises:
    • a first receiving module, configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to a Home Subscriber Server (HSS);
    • a second receiving module, configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
    • a third receiving module, configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by a Mobile Management Entity (MME); and
    • a comparison module, configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  • Alternatively, the device further comprises:
    • a fourth receiving module, configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
    • a message processing module, configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result.
  • Alternatively, the emergency call request message carries the access network identity of the user terminal;
    the device further comprises: a call-times determination module and a call judgment module, wherein:
    • the call-times determination module is configured to: before carrying the received access network identity into the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, search for a number of times for the user terminal sending an emergency call request within a set duration; and
    • the call judgment module is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the received access network identity into the query request to send to the HSS.
  • Alternatively, the comparison module is configured to compare the first authentication data and the second authentication data in the following way:
    • judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
  • The embodiment of the present invention further provides a Home Subscriber Server (HSS), which comprises:
    • a receiving module, configured to: receive a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
    • a first authentication data calculation module, configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
    • a sending module, configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  • Alternatively, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
    the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
  • The embodiment of the present invention further provides a call authentication system, which comprises: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein,
    the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result;
    the user terminal is configured to: send the emergency call request message carrying the access network identity to the MME; send the second authentication data to the MME; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to the MME, wherein, the emergency call contents are obtained after being encrypted with the security key; and
    the HSS is configured to: receive the query request carrying the access network identity sent by the MME, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to the MME; and after allowing the user terminal to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by the MME.
  • Alternatively, the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
  • In the embodiments of the present invention, the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
    • Brief Description of Drawings
    • FIG. 1 is a flow chart of a user initiating an emergency call through the mobile communication network by using the mobile terminal.
    • FIG. 2 is a flow chart of a call authentication method according to the embodiment 1 of the present invention.
    • FIG. 3 is a schematic diagram of a structure of a call authentication device according to the embodiment 2 of the present invention.
    • FIG. 4 is a schematic diagram of a structure of an HSS according to the embodiment 3 of the present invention.
    • FIG. 5 is a structure diagram of a call authentication system according to the embodiment 4 of the present invention.
    Preferred Embodiments of the Invention
  • The embodiments of the present invention disclose a call authentication method, device and system, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key, and the first authentication data obtained by performing calculation with the security key and the random verification information from the HSS, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
  • It should be noted that in the scheme of the embodiment of the present invention, a symmetrical device key is set in the network side and the user terminal, which is used for the network side performing authentication on the user terminal. The device key is associated with the IMEI of the user terminal, the network side stores a corresponding relation between the IMEI of the user terminal and the device key, and the device key in the HSS, the network side can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key; a legal user terminal stores its own device key in a security component, and it also can only acquire a calculation result obtained by performing calculation with the device key through a query and cannot directly acquire the device key, wherein, it is a one-to-one correspondence relation between the device key and the IMEI, and each device key corresponds to only one IMEI.
  • The security key involved in all the embodiments of the present invention, no matter in the network side or the user terminal, is obtained by performing calculation with the stored device key, parameter information and access network identity information of the user terminal according to a set calculation method, both the network side and the user terminal have a function of encryption and decryption, which guarantees the security in a signaling transmission process and makes the utilized air interface resources be protected.
  • All the embodiments of the present invention will be described in detail in combination with the description of accompanying drawings. It should be noted that the embodiments in the present invention and the characteristics in the embodiments can be optionally combined with each other in the condition of no conflict.
    • Embodiment 1
  • As shown in FIG. 2, it is a flow chart of a call authentication method according to the embodiment 1 of the present invention, and the method includes the following steps.
  • In step 101, an MME receives an emergency call request message carrying an access network identity sent by a user terminal, and carries the access network identity into a query request to send to an HSS.
  • Wherein, the access network identity is an IMEI of the user terminal.
  • In the step 101, when the user terminal is in limited calling or an SIM card/a Universal Subscriber Identity Module (USIM) card is not inserted, and an emergency call request is required to be initiated, the user terminal takes its own IMEI as the access network identity and carries the access network identity into the emergency call request message to send to the MME.
  • Alternatively, when receiving the emergency call request message sent by the user, the MME indicates the user terminal to report the access network identity, so as to identify the user terminal.
  • When the access network identity reported by the user terminal and received by the MME is a GUIT or a P_TMSI, the user terminal is indicated to report an IMSI of the user terminal; and when the access network identity reported by the user terminal and received by the MME is the IMSI, the user terminal is indicated to report the IMEI of the user terminal.
  • It should be noted that, when the user terminal is in a state that the SIM card is not inserted, there is no IMSI, only the IMEI can be provided to the MME.
  • Alternatively, after the MME receives the emergency call request message, and before the MME sends the query request to the HSS, the method also includes:
    • firstly, according to a corresponding relation between the access network identity of the user terminal and the number of emergency call requests, the MME searching for the number of times for the user terminal sending the emergency call request to the MME within a set duration;
    • wherein, the MME itself has a counter used for counting the number of emergency calls initiated by the user terminal, every time the user terminal sends the emergency call request message, the MME will add one to the number of emergency calls of the user terminal, and record time and a corresponding relation between the access network identity of the user terminal and the number of emergency calls;
    • secondly, the MME judging whether a searched number of call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS;
    • wherein, the set threshold value is to limit the number of times for one user terminal sending the emergency call request to the MME within a unit time, and it is generally determined according to the actual demand, which is not limited here.
  • In step 102, the MME receives a query result carrying verification information and first authentication data returned by the HSS.
  • Wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, wherein, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between the access network identity and the device key.
  • In the step 102, the MME contains the access network identity carried in the received emergency call request message into the query request to send to the HSS.
  • After the HSS receives the query request sent by the MME, the following operation steps are executed.
  • In step 1, according to the locally stored corresponding relation between the access network identity and the device key, a device key corresponding to the access network identity contained in the query request is determined.
  • In step 2, a security key containing the device key and the randomly generated verification information are used for calculating to obtain the first authentication data.
  • It should be noted that, the way of calculation can be to use a set algorithm, and it also can be to calculate according to a protocol rule in the 3rd Generation Partnership Project (3GPP) protocol, which is not limited here.
  • In step 3, the randomly generated verification information and the obtained first authentication data are taken as a query result to be sent to the MME.
  • Wherein, the verification information can be verification information in a 3GPP format, such as RAND; the first authentication data are device-challenge; the query result is RAND||device-challenge, it also can be information in other forms, which is determined according to the actual requirement and not limited here.
  • In step 103, the MME receives second authentication data sent by the user terminal.
  • Wherein, the second authentication data are obtained by the user terminal performing calculation with the locally stored security key and the verification information after receiving the verification information sent by the MME.
  • In the step 103, the MME receives the query result returned by the HSS, the query result contains random verification information, and the MME sends the random verification information to the user terminal.
  • After the user terminal receives the verification information, the following operation steps are executed.
  • In step 1, a device key corresponding to the IMEI of the user terminal itself is determined.
  • In step 2, it is to perform calculation on the received verification information with the security key containing the determined device key to obtain the second authentication data.
  • In step 3, the obtained second authentication data are sent to the MME.
  • In step 104, the MME compares the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determines that an authentication is passed, and allows the user terminal to access a communication network.
  • In the step 104, the MME judges whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executes an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executes an operation of determining that the authentication is not passed and rejecting accessing the network.
  • In step 105, after allowing the user terminal to access the communication network, the MME receives an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key.
  • In order to guarantee that the emergency call message sent by the user terminal is not tampered, when the user terminal sends the emergency call message to the MME, an encryption operation is performed on the carried emergency call contents, which guarantees the security of the transmitted message.
  • In step 106, the MME sends the received emergency call message to the HSS to be parsed, and returns a response message to the user terminal according to a parse result.
  • Since the HSS stores the device key, and the security key is determined by the device key, the MME is required to perform decryption operation on the received encrypted emergency call message through the HSS when receiving the encrypted emergency call message.
  • In the scheme of the embodiment 1 of the present invention, by locally storing the corresponding relation between the IMEI of the user terminal and the device key in the user terminal and the HSS respectively, when the user terminal sends the emergency call request message to the MME, the MME acquires the security key containing the device key from the HSS, and acquires the first authentication data obtained by performing calculation with the security key and the random verification information, and receives the second authentication data obtained through calculation according to the locally stored security key and the received verification information sent by the user terminal, and compares the first authentication data and the second authentication data, when the comparison result is that the first authentication data and the second authentication data are identical, determines that the authentication is passed, and allows the user terminal to access the communication network, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.
    • Embodiment 2
  • As shown in FIG. 3, it is a schematic diagram of a structure of a call authentication device according to the embodiment 2, the device includes: a first receiving module 11, a second receiving module 12, a third receiving module 13 and a comparison module 14, wherein:
    • the first receiving module 11 is configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to an HSS;
    • the second receiving module 12 is configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information, the security key contains a device key, the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
    • the third receiving module 13 is configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by an MME; and
    • the comparison module 14 is configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  • Alternatively, the device also includes: a fourth receiving module 15 and a message processing module 16, wherein:
    • the fourth receiving module 15 is configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
    • the message processing module 16 is configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result.
  • Wherein, the emergency call request message carries the access network identity of the user terminal.
  • The device also includes: a call-times determination module 17 and a call judgment module 18, wherein:
    • the call-times determination module 17 is configured to: before carrying the access network identity into the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and the number of emergency call requests, search for the number of times for the user terminal sending an emergency call request within a set duration; and
    • the call judgment module 18 is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the access network identity into the query request to send to the HSS.
  • The comparison module 14 is configured to compare the first authentication data and the second authentication data in the following way: judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
    • Embodiment 3
  • As shown in FIG. 4, it is a schematic diagram of a structure of an HSS according to the embodiment 3, the HSS includes: a receiving module 21, a first authentication data calculation module 22 and a sending module 23, wherein:
    • the receiving module 21 is configured to: receive a query request sent by an MME, wherein, the query request contains an access network identity, and the access network identity sent is carried in an emergency call request message sent by a user terminal to the MME;
    • the first authentication data calculation module 22 is configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
    • the sending module 23 is configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  • Alternatively, the access network identity is an IMEI of the user terminal;
    the first authentication data calculation module 22 is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
    • Embodiment 4
  • As shown in FIG. 5, it is a structure diagram of a call authentication system according to the embodiment 4, the system includes: an MME 31, a user terminal 32 and an HSS 33, wherein:
    • the MME 31 is configured to: receive an emergency call request message sent by the user terminal 32, and send a query request containing an access network identity carried in the emergency call request message to the HSS 33; receive a query result carrying verification information and first authentication data returned by the HSS 33, and second authentication data sent by the user terminal 32; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal 32 to access a communication network; after allowing the user terminal 32 to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal 32, wherein, the emergency call contents are obtained after being encrypted by the user terminal 32 with a security key; and send the received emergency call message to the HSS 33 to be parsed, and return a response message to the user terminal 32 according to a parse result;
    • the user terminal 32 is configured to: send the emergency call request message carrying the access network identity to the MME 31; send the second authentication data to the MME 31; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to the MME 31, wherein, the emergency call contents are obtained after being encrypted with the security key; and
    • the HSS 33 is configured to: receive the query request carrying the access network identity sent by the MME 31, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to the MME 31; and after allowing the user terminal 32 to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by the MME 31.
  • Alternatively, the user terminal 32 is further configured to: when the user terminal 32 receives the verification information sent by the MME 31, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
  • The ordinary person skilled in the art can understand that all or part of the steps in the above method can be completed by a program instructing related hardware, and the program can be stored in a computer readable memory medium, such as a read-only memory, disk or optical disk and so on. Alternatively, all or part of the steps of the above embodiments also can be implemented by using one or multiple integrated circuits. Correspondingly, each module/unit in the above embodiments can be implemented in a form of hardware, and also can be implemented in a form of software function module. The embodiments of the present invention are not limited to any combination of hardware and software in a specific form.
  • Apparently, those skilled in the art can make various modifications and variations for the embodiments of the present invention without departing from the spirit and scope of the present invention. Therefore, if these modifications and variations of the embodiments of the present invention belong to the scope of the claims of the present invention and the equivalent techniques thereof, the present invention also intends to include these modifications and variations.
    • Industrial Applicability
  • In the embodiments of the present invention, the corresponding relation between the IMEI of the user terminal and the device key is locally stored in the user terminal and the HSS respectively, which prevents an illegal user terminal from maliciously using the communication network by means of emergency call, thereby improving the security of the emergency call and guaranteeing the security of application of the communication network.

Claims (15)

  1. A call authentication method, comprising:
    a Mobile Management Entity (MME) receiving an emergency call request message carrying an access network identity sent by a user terminal, and carrying the access network identity into a query request to send to a Home Subscriber Server (HSS);
    the MME receiving a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
    the MME receiving second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation with a locally stored security key and verification information after receiving the verification information sent by the MME; and
    the MME comparing the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
  2. The method according to claim 1, further comprising: after allowing the user terminal to access the communication network,
    the MME receiving an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
    the MME sending the received emergency call message to the HSS to be parsed, and returning a response message to the user terminal according to a parse result.
  3. The method according to claim 1, further comprising: after the MME receives the emergency call request message and before the MME sends the query request to the HSS,
    according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, the MME searching for a number of times for the user terminal sending the emergency call request to the MME within a set duration; and
    the MME judging whether a searched number of emergency call requests is greater than a set threshold value, if yes, rejecting to respond to the emergency call request of the user terminal; and if not, executing an operation of sending the query request to the HSS.
  4. The method according to claim 1, wherein, the step of the MME receiving the second authentication data sent by the user terminal comprises:
    the MME receiving the second authentication data obtained by the user terminal performing calculation on the received verification information with the locally stored security key when the user terminal receives the verification information sent by the MME.
  5. The method according to any one of claims 1 to 4, wherein, the step of the MME comparing the first authentication data and the second authentication data comprises:
    the MME judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
  6. A call authentication method, comprising:
    a Home Subscriber Server (HSS) receiving a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
    according to a locally stored corresponding relation between an access network identity and a device key, the HSS determining a device key corresponding to the access network identity contained in the query request, and performing calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
    the HSS taking the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determining that an authentication is passed, and allowing the user terminal to access a communication network.
  7. The method according to claim 6, wherein, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
    the locally stored corresponding relation between the access network identity and the device key comprises:
    a corresponding relation between the IMEI of the user terminal and the device key locally stored by the HSS.
  8. A call authentication device, comprising:
    a first receiving module, configured to: receive an emergency call request message carrying an access network identity sent by a user terminal, and carry the access network identity into a query request to send to a Home Subscriber Server (HSS);
    a second receiving module, configured to: receive a query result carrying verification information and first authentication data returned by the HSS, wherein, the first authentication data are obtained by the HSS performing calculation with a searched security key and randomly generated verification information; the security key comprises a device key; the device key is determined by the HSS according to a locally stored corresponding relation between an access network identity and a device key;
    a third receiving module, configured to: receive second authentication data sent by the user terminal, wherein, the second authentication data are obtained by the user terminal performing calculation on verification information with a locally stored security key after receiving the verification information sent by a Mobile Management Entity (MME); and
    a comparison module, configured to: compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  9. The device according to claim 8, further comprising:
    a fourth receiving module, configured to: after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with the security key; and
    a message processing module, configured to: send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result.
  10. The device according to claim 8, wherein, the emergency call request message carries the access network identity of the user terminal;
    the device further comprises: a call-times determination module and a call judgment module, wherein:
    the call-times determination module is configured to: before carrying the received access network identity in the query request to send to the HSS, according to a corresponding relation between the access network identity of the user terminal and a number of emergency call requests, search for a number of times for the user terminal sending an emergency call request within a set duration; and
    the call judgment module is configured to: judge whether a searched number of emergency call requests is greater than a set threshold value, if yes, reject to respond to the emergency call request of the user terminal; and if not, execute an operation of carrying the received access network identity into the query request to send to the HSS.
  11. The device according to claim 8, wherein, the comparison module is configured to compare the first authentication data and the second authentication data by means of:
    judging whether the received first authentication data and the second authentication data are identical, if the first authentication data and the second authentication data are identical, executing an operation of determining that the authentication is passed and allowing accessing the network; and if the first authentication data and the second authentication data are different, executing an operation of determining that the authentication is not passed and rejecting accessing the network.
  12. A Home Subscriber Server (HSS), comprising:
    a receiving module, configured to: receive a query request sent by a Mobile Management Entity (MME), wherein, the query request contains an access network identity, and the access network identity is carried in an emergency call request message sent by a user terminal to the MME;
    a first authentication data calculation module, configured to: according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain first authentication data; and
    a sending module, configured to: take the randomly generated verification information and the obtained first authentication data as a query result to send to the MME, so that the MME compares the obtained first authentication data and received second authentication data sent by the user terminal, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network.
  13. The HSS according to claim 12, wherein, the access network identity is an International Mobile Equipment Identity (IMEI) of the user terminal;
    the first authentication data calculation module is further configured to: store a corresponding relation between the IMEI of the user terminal and the device key.
  14. A call authentication system, comprising: a Mobile Management Entity (MME), a user terminal and a Home Subscriber Server (HSS); wherein,
    the MME is configured to: receive an emergency call request message sent by the user terminal, and send a query request containing an access network identity carried in the emergency call request message to the HSS; receive a query result carrying verification information and first authentication data returned by the HSS, and second authentication data sent by the user terminal; compare the first authentication data and the second authentication data, and when a comparison result is that the first authentication data and the second authentication data are identical, determine that an authentication is passed, and allow the user terminal to access a communication network; after allowing the user terminal to access the communication network, receive an emergency call message carrying emergency call contents sent by the user terminal, wherein, the emergency call contents are obtained after being encrypted by the user terminal with a security key; and send the received emergency call message to the HSS to be parsed, and return a response message to the user terminal according to a parse result;
    the user terminal is configured to: send the emergency call request message carrying the access network identity to the MME; send the second authentication data to the MME; and after being allowed to access the communication network, send the emergency call message carrying the emergency call contents to the MME, wherein, the emergency call contents are obtained after being encrypted with the security key; and
    the HSS is configured to: receive the query request carrying the access network identity sent by the MME, and according to a locally stored corresponding relation between an access network identity and a device key, determine a device key corresponding to the access network identity contained in the query request, and perform calculation with a security key containing the device key and randomly generated verification information to obtain the first authentication data and send the first authentication data to the MME; and after allowing the user terminal to access the communication network, receive and parse the emergency call message carrying the emergency call contents sent by the MME.
  15. The system according to claim 14, wherein,
    the user terminal is further configured to: when the user terminal receives the verification information sent by the MME, perform calculation on the received verification information with the locally stored security key to obtain the second authentication data.
EP13803875.7A 2012-09-12 2013-07-31 Call authentication method, device, and system Active EP2874367B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210335631.XA CN103686651B (en) 2012-09-12 2012-09-12 A kind of authentication method based on urgent call, equipment and system
PCT/CN2013/080490 WO2013185709A1 (en) 2012-09-12 2013-07-31 Call authentication method, device, and system

Publications (3)

Publication Number Publication Date
EP2874367A1 true EP2874367A1 (en) 2015-05-20
EP2874367A4 EP2874367A4 (en) 2015-10-21
EP2874367B1 EP2874367B1 (en) 2018-08-29

Family

ID=49757589

Family Applications (1)

Application Number Title Priority Date Filing Date
EP13803875.7A Active EP2874367B1 (en) 2012-09-12 2013-07-31 Call authentication method, device, and system

Country Status (3)

Country Link
EP (1) EP2874367B1 (en)
CN (1) CN103686651B (en)
WO (1) WO2013185709A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10154134B1 (en) 2016-04-05 2018-12-11 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US11696250B2 (en) * 2016-11-09 2023-07-04 Intel Corporation UE and devices for detach handling

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2526583A (en) * 2014-05-28 2015-12-02 Vodafone Ip Licensing Ltd Access class barring for mobile terminated communication and active mobility
CN107222933B (en) * 2017-06-27 2020-11-17 努比亚技术有限公司 Communication method, terminal and computer readable storage medium
CN108419229B (en) * 2018-01-23 2020-08-11 北京中兴高达通信技术有限公司 Access method and device
CN109348057A (en) * 2018-10-25 2019-02-15 维沃移动通信有限公司 A kind of method of calling and mobile terminal
CN112004228B (en) * 2019-05-27 2023-06-02 中国电信股份有限公司 Real person authentication method and system
CN113206886B (en) * 2021-05-08 2023-02-10 深圳市信锐网科技术有限公司 Method, device, equipment and medium for accessing equipment to Internet of things platform

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7764945B2 (en) * 2006-03-08 2010-07-27 Cisco Technology, Inc. Method and apparatus for token distribution in session for future polling or subscription
US9515850B2 (en) * 2009-02-18 2016-12-06 Telefonaktiebolaget Lm Ericsson (Publ) Non-validated emergency calls for all-IP 3GPP IMS networks
US8693642B2 (en) * 2009-04-16 2014-04-08 Alcatel Lucent Emergency call handling in accordance with authentication procedure in communication network
WO2011009496A1 (en) * 2009-07-24 2011-01-27 Telefonaktiebolaget Lm Ericsson (Publ) Terminal identifiers in a communications network
CN102025685B (en) * 2009-09-21 2013-09-11 华为技术有限公司 Authentication processing method and device
CN102055744A (en) * 2009-11-06 2011-05-11 中兴通讯股份有限公司 Implementing system and method of IP (Internet Protocol) multimedia subsystem emergency call service
CN101931955B (en) * 2010-09-03 2015-01-28 中兴通讯股份有限公司 Authentication method, device and system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10154134B1 (en) 2016-04-05 2018-12-11 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US10158754B1 (en) 2016-04-05 2018-12-18 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US10594860B1 (en) 2016-04-05 2020-03-17 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US10721353B1 (en) 2016-04-05 2020-07-21 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US11140261B1 (en) 2016-04-05 2021-10-05 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US11425242B1 (en) 2016-04-05 2022-08-23 State Farm Mutual Automobile Insurance Company Systems and methods for authenticating a caller at a call center
US11696250B2 (en) * 2016-11-09 2023-07-04 Intel Corporation UE and devices for detach handling

Also Published As

Publication number Publication date
WO2013185709A1 (en) 2013-12-19
CN103686651A (en) 2014-03-26
EP2874367A4 (en) 2015-10-21
CN103686651B (en) 2018-05-11
EP2874367B1 (en) 2018-08-29

Similar Documents

Publication Publication Date Title
EP2874367B1 (en) Call authentication method, device, and system
US8706085B2 (en) Method and apparatus for authenticating communication device
CN109716834B (en) Temporary identifier in a wireless communication system
EP3485624B1 (en) Operation related to user equipment using secret identifier
US10171993B2 (en) Identity request control for user equipment
EP2755413B1 (en) Managing undesired service requests in a network
CN109922474B (en) Method for triggering network authentication and related equipment
US10681546B2 (en) Processing method for sim card equipped terminal access to 3GPP network and apparatus
CN102318386A (en) Service-based authentication to a network
EP3119130B1 (en) Restriction control device and restriction control method
WO2016110093A1 (en) D2d mode b discovery security method, terminal and system, and storage medium
US9860825B2 (en) Mobile hardware identity in an environment with multiple radio access networks
US9538378B2 (en) Controlling access to a long term evolution network via a non-long term evolution access network
US11070376B2 (en) Systems and methods for user-based authentication
KR20180061315A (en) Preventing attacks from false base stations
US20150026787A1 (en) Authentication method, device and system for user equipment
CN110087338B (en) Method and equipment for authenticating narrowband Internet of things
CN110830421B (en) Data transmission method and device
CN108243416A (en) User equipment authority identification method, mobile management entity and user equipment
CN114697945B (en) Method and device for generating discovery response message and method for processing discovery message
US9215594B2 (en) Subscriber data management
US8965343B1 (en) Security key based authorization of transceivers in wireless communication devices
EP3488627B1 (en) Proof-of-presence indicator
CN108076009B (en) Resource sharing method, device and system
CN117692902B (en) Intelligent home interaction method and system based on embedded home gateway

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20150212

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RA4 Supplementary search report drawn up and despatched (corrected)

Effective date: 20150923

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/06 20090101ALI20150917BHEP

Ipc: H04W 76/00 20090101ALI20150917BHEP

Ipc: H04W 4/22 20090101ALI20150917BHEP

Ipc: H04L 29/06 20060101AFI20150917BHEP

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20171006

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 76/00 20180101ALI20180213BHEP

Ipc: H04W 12/06 20090101ALI20180213BHEP

Ipc: H04L 29/06 20060101AFI20180213BHEP

INTG Intention to grant announced

Effective date: 20180309

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1036507

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180915

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602013042848

Country of ref document: DE

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20180829

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181130

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181129

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181229

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181129

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1036507

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602013042848

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20190531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20190731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190731

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190731

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190731

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20181229

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20130731

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602013042848

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0065000000

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180829

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230620

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230608

Year of fee payment: 11

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20230607

Year of fee payment: 11